Blizzard delays Diablo III real-money auctions indefinitely

The company also responds to concerns over account hacking.

Those of you hoping to quit your jobs and make a living selling your Diablo III loot for real money will have to keep flipping burgers a little while longer as Blizzard has announced the game's much-discussed real-money auction house has moved "outside the previously estimated May timeframe."

The real-money auction service was originally planned to launch a week after the game's May 15 release, but the rollout was briefly pushed back to a planned May 29 before this latest delay. Blizzard now says that it "need[s] a bit more time to iron out the existing general stability and gameplay issues" in order to "ensure everyone has the smoothest experience possible" with the service. While the company didn't suggest a new date for the launch, it did promise to have "more information soon."

Meanwhile, many Diablo III forum users have been complaining loudly about hackers breaking into their accounts and stealing accumulated items and gold, a problem that would seem crucial to fix before those items start having a real-world value through the auction house. Blizzard officially responded to these reports today, stressing that its servers have not been compromised. The "extremely small" number of complaints that Blizzard has received about compromised accounts have all boiled down to traditional password-stealing methods, the company said, despite rumors of "session spoofing" and other esoteric attacks.

I would suggest that all the wild stories about widespread hacking and inherent vulnerabilities being total crap should be a bigger part of the story. Or indeed a story in itself. Many sites were happy to portray some new and dangerous attack vector, when it seems that there was in fact no such thing.

Don't get me wrong, I've been booted a number of times now on my rock-solid business class connection while other tasks ticked away happily. And not having the ability to save and continue is just absurd. But fair is fair.

I'm having fun btw - just ruined a little by having to consider how much more I want to play every time I get to a checkpoint...

not sure if you have used an authenticator recently but once you log in they don't usually ask for it again until several days later. Assuming they just flag the ip address with a successful login as trusted so they don't bother you again till later.

I have a hard time blaming Blizzard on this one. This is anecdotal, but bear with me, my Cousin got hacked and was complaining very loudly about it. When I asked her, she freely told me her password, which was very weak, and that she refused to use an authenticator for some moral reason I couldn't quite understand since it never approached rationality.

She'd never played an MMO before and was completely unaware that account stealing was a thing.

If she's any indicator on the type of people getting hacked, then I have very little sympathy, and I have a harder time understanding how it's Blizzard's fault.

At the end of the day it's on you to protect your stuff. If you don't want to use a hard password, or an authenticator, that's on you, not Blizz.

I wish there wa a way you could manage your battle.net account to only allow conenctions from an IP range or if it detected outside of that normal range it could mail you a 1 time use code like Steam does

It'd be a lot harder to hack people's accounts if they let you use normal special characters in the password... way to live in 1999 so you can push your authenticator, Blizzard.

The authenticator is free on android and iOS, you only need to buy a physical one if you don't have those devices. I've even heard there's ways to install the mobile auth on your desktop to use it that way.

The point isn't about password strength, it's that people get their passwords stolen, either by malware/keylogger, or by using the same password on multiple sites, and one of the other sites getting compromised.

The authenticator only has to be input once per 7 days in the game (based on IP), unless you'd like it to prompt you every time, in which case you can turn it on to always prompt in your battle.net profile.

The fact that so many sites ran with the supposed session spoofing bullshit story is an absolute shame, and you don't see any of them recanting now. Session spoofing in a TCP/IP-based game?

not sure if you have used an authenticator recently but once you log in they don't usually ask for it again until several days later. Assuming they just flag the ip address with a successful login as trusted so they don't bother you again till later.

If your IP hasn't changed, by default you'll only be asked to enter the authenticator code approx. once per week per machine when signing into WoW, SC2, or D3. This can be toggled to every login on the bnet account management page. That on the other hand requires the authenticator code every login.

I stopped by last night and took a look at the D3 forums where they are complaining about this, and it's a repeat of countless "I've been hacked and it's totally not my fault even though I don't use an authenticator" threads from the WoW forums. Hacking bnet accounts is very old hat by now, frankly you're asking for trouble if you don't use an authenticator, especially when the smartphone version is free and the physical FOB is only a few bucks. You can even set up SMS alerts and use SMS as a fallback to unlock your account if you lose the authenticator app (wipe phone, new phone, etc.).

Majorly agree with groghunter however that Blizzard are morons for only accepting alphanumerics for passwords.

I find it pretty sad that first they say how secure their system is, making sure to hype up the fact that it's online-only feature as well, but then turn around and essentially say "but we recommend buying one of our Battle.net authenticator fobs or to download the mobile app". There is a distinct problem when a game almost requires you to either have a 15-character or longer password, that you make sure to ONLY copy and paste when you login to your game, as well as buy an additional item just to make sure nobody takes your stuff.

I don't care how someone starts the "Well, it's Blizzard...." as if that's supposed to be some sort of magic wand to make all of the issues be more reasonable. If they, meaning Blizzard and Activision, KNEW that their game would be the target of hackers why did'nt they ship the game with a more robust set of security features that came WITH the game? Neither the standard nor collectors versions even come with a security authenticator fob which after looking at all of this would have been a good idea to make the authenticator fob mandatory to use rather than making it optional.

So remind me again how being online all the time was supposed to help prevent all of this and add all of these wonderful value-added features that everyone will love? Or, better yet, ask why neither Blizzard nor Activision did not include stronger security if they knew their games were prone to being targeted?

the authentication process is a pain in the ass. I use a strong password that I dont use on any other account. Never been hacked once.

Passwords and authenticators solve different security problems, and should be used together.

Quote:

I would suggest that all the wild stories about widespread hacking and inherent vulnerabilities being total crap should be a bigger part of the story. Or indeed a story in itself. Many sites were happy to portray some new and dangerous attack vector, when it seems that there was in fact no such thing.

It's a little early to say that. If there is a session spoofing vector, Blizzard would either be obligated to deny it at least until they have a fix to minimize it, or just shut down all the multiplayer parts of the game (oops, that's all of it). While claims of "I have been hacked, and I had a 40 character password, an authenticator, and Bobby Kotic has to drive to my house and verify my identity before I can log on" should always be taken skeptically, when there's a lot of noise from trustworthy people (like with the still unaddressed Xbox Live hacking) something is probably going on.

A lot of these hacking attempts are targetted at World of Warcraft. I'm sure that Diablo III is just a casualty since they share the same infrastructure - there's no money in Diablo III yet, so it wouldn't be a logical target other than for the sheer frustration factor.

Also, a lot of these hacking attempts are due to keyloggers, so your password could be 32 characters long and super obscure, and it wouldn't matter because you tried installing that Flash update that was actually malware tracking your keystrokes.

Well, at least they're trying not to release a half-baked system when real money is involved. I don't ever plan to use the RMAH, but social games and F2P MMORPGS have demonstrated that some people are more than willing to be parted from their money for in-game items. Can't really criticize them for catering to that demand... What can be criticized is the fact that people who aren't interested have to suffer the consequences of design options that only seem to cater to the real money system...

By the way, I'd love to see an in-depth piece about the Diablo III hackings. Are there any reliable numbers regarding the total affected users? How did the accounts get hacked - phishing, brute force password cracking? Whatever the case, when real money will be involved, Blizzard had better cover their ass, or else I smell class-action lawsuits from robbed players...

There is a distinct problem when a game almost requires you to either have a 15-character or longer password, that you make sure to ONLY copy and paste when you login to your game, as well as buy an additional item just to make sure nobody takes your stuff.

That's just good security, and you will see more of it from everywhere in the future. You are being foolish for example if you aren't using an authenticator with your google accounts.

Quote:

Neither the standard nor collectors versions even come with a security authenticator fob which after looking at all of this would have been a good idea to make the authenticator fob mandatory to use rather than making it optional.

I strongly suspect that the vast majority of players use the phone apps now, so adding an authenticator would be a waste. If you are super-cheap and have somehow avoided getting a modern phone you can use a call-in authenticator.

I find it pretty sad that first they say how secure their system is, making sure to hype up the fact that it's online-only feature as well, but then turn around and essentially say "but we recommend buying one of our Battle.net authenticator fobs or to download the mobile app". There is a distinct problem when a game almost requires you to either have a 15-character or longer password, that you make sure to ONLY copy and paste when you login to your game, as well as buy an additional item just to make sure nobody takes your stuff.

I don't care how someone starts the "Well, it's Blizzard...." as if that's supposed to be some sort of magic wand to make all of the issues be more reasonable. If they, meaning Blizzard and Activision, KNEW that their game would be the target of hackers why did'nt they ship the game with a more robust set of security features that came WITH the game? Neither the standard nor collectors versions even come with a security authenticator fob which after looking at all of this would have been a good idea to make the authenticator fob mandatory to use rather than making it optional.

So remind me again how being online all the time was supposed to help prevent all of this and add all of these wonderful value-added features that everyone will love? Or, better yet, ask why neither Blizzard nor Activision did not include stronger security if they knew their games were prone to being targeted?

A system is only as secure as it's weakest link, which is almost always the end user. I can secure my network to be airtight, but if you have "god" as your password, and give it to every site that looks like it might be official, I can't be blamed when you lose your shit. The authenticator is there to help you, because you're bad. If your system could be trusted to not have a keylogger, and you never give your password away, and you have a strong password, then there wouldn't be a need for an auth. Don't blame Blizzard/Trion/Anyone who uses a auth key/etc for the end user's failure.

i have never completely understood the reasons for outlawing third party markets for game items other than companies want a piece of the action. the market in diablo II policed itself pretty well.

Because it's easier for criminals (and gold farmers are typically foreign criminals) to just hack people's accounts and steal their stuff to sell than to farm it the hard way. They also use stolen credit cards to create accounts, which ends up costing the game companies a lot in chargebacks, penalties, and higher fees because game transactions are high risk. Short circuiting it with an official way to buy gold means that most people will go legit instead of buying from shady websites (who will probably try to install malware and steal everything they sold you back).

I find it pretty sad that first they say how secure their system is, making sure to hype up the fact that it's online-only feature as well, but then turn around and essentially say "but we recommend buying one of our Battle.net authenticator fobs or to download the mobile app".

Uh, using the authenticator is part of what improves the security. You can't refuse to use half of the security improvements and then complain that security isn't really improved.

Otherwise, you may as well find it pretty sad that first they say how secure their system is, making sure to hype up the fact that a password is required, but then turn around and essentially say "but we can't stop you from pasting your password in forum sigs and using it as your IM status or handing it directly to thieves."

No system can prevent a user from undermining themselves. That doesn't make its security sad.

If two-factor authentication is available, you should use it. I don't know how this is disputable.

I was more than a little unnerved when I got kicked out of my very first session due to "your account has been activated from another location" or something to that effect. Just blew it off due to it being my first character on a new account, plus I was almost immediately kicked out. Who knows after reading this though.

So wait, you're telling me that the entire public rationale for making Diablo III require a persistent online connection in order to play your single-player game has now been indefinitely delayed? There is now no official reason why I'm not allowed to play my game without a connection to Blizzard's servers?

I can't help but laugh at this. Between the extreme DRM (no offline single-player? Seriously?) and the real-money auction house, it's clear that Diablo III was nothing more than a massive cash grab, and I'm glad to see it biting Blizzard in the ass.

never heard of session spoofing from a non always on game....just pointing that out in case Bobby Kotick is reading.

If it had any kind of multi-player AT ALL, people would still be trying to hack it. The lack of "always online" sure helped out the security for Diablo II, didn't it?

The point is that some of us have no interest in playing the game with strangers. Some of us just want to play single-player or with friends on a LAN. These vulnerabilities only impact us because Blizzard/Activision think that if they let us play disconnected that we would pirate the game.

This is one of the many reasons I no longer buy Activision games. I sure am looking forward to Torchlight 2!

I wish there wa a way you could manage your battle.net account to only allow conenctions from an IP range or if it detected outside of that normal range it could mail you a 1 time use code like Steam does

Battle.net does do this... with the authenticator. Normally, the authenticator will only ask you once a week, but if it detects a login thats not from your usual place, it'll ask for the authenticator code. battle.net also has SMS alerts that will txt message you on suspicious activity, and when you change your security info. You can also reset your password from SMS.

I find it pretty sad that first they say how secure their system is, making sure to hype up the fact that it's online-only feature as well, but then turn around and essentially say "but we recommend buying one of our Battle.net authenticator fobs or to download the mobile app".

they recommend an authenticator because it helps in preventing phishing scams, the main way people "hack" your account.

For a lot of the people who say they got hacked "even with an authenticator," there's more going on behind the scenes, that's also that person's fault. The hacker also has their email credentials, and is able to go to their victim's battle.net account and turn off their authenticator. You won't notice, because the game doesn't prompt for it every time. The emails that are sent out when account changes occur are deleted by the hacker, and they are free to drain your account of assets.

Account hacking is big business in WoW, and bypassing an authenticator isn't any more difficult than obtaining the target's email.

It'd be a lot harder to hack people's accounts if they let you use normal special characters in the password... way to live in 1999 so you can push your authenticator, Blizzard.

You can use special characters in your Battle.net password. Of course not a single account has ever been brute forced so it really doesn't matter.

pjladyfox wrote:

There is a distinct problem when a game almost requires you to either have a 15-character or longer password, that you make sure to ONLY copy and paste when you login to your game, as well as buy an additional item just to make sure nobody takes your stuff.

Neither the standard nor collectors versions even come with a security authenticator fob which after looking at all of this would have been a good idea to make the authenticator fob mandatory to use rather than making it optional.

So remind me again how being online all the time was supposed to help prevent all of this and add all of these wonderful value-added features that everyone will love? Or, better yet, ask why neither Blizzard nor Activision did not include stronger security if they knew their games were prone to being targeted?

You do understand that copying and pasting your password does not protect you against malware designed to harvest your keystrokes right?

Blizzard does not make the authenticators they sell. They are simply a customer of Vasco. I will say that EA was able to provide authenticators to people who purchased the collectors edition of Star Wars The Old Republic of course the Collectors Edition also was $150 at launch. Who knows what kind of volume there actually was.

In the end it would be a waste of both money and authenticators to give everyone that purchase Diablo an authenticator. I have had one since they launched, either way you pay for it, so this complaint makes no sense to begin with. People are just lazy, even if it did come with an authenticator people WOULD NOT USE IT, because people are lazy.

The problem isn't Blizzard's security, the problem actually is the player's security, always has always will be. Even if Diablo III was 100% online people would still get hacked, happen in Diablo II, and it will continue to happen because of lazy players and bad security on the part of players.

So wait, you're telling me that the entire public rationale for making Diablo III require a persistent online connection in order to play your single-player game has now been indefinitely delayed? There is now no official reason why I'm not allowed to play my game without a connection to Blizzard's servers?

It was one reason of several. Anti-cheating and being lazy about not wanting to deal with treating the ladder/non-ladder character distinction was probably more of a reason for online only than the RMAH.

It'd be a lot harder to hack people's accounts if they let you use normal special characters in the password... way to live in 1999 so you can push your authenticator, Blizzard.

The authenticator is free on android and iOS, you only need to buy a physical one if you don't have those devices. I've even heard there's ways to install the mobile auth on your desktop to use it that way.

The point isn't about password strength, it's that people get their passwords stolen, either by malware/keylogger, or by using the same password on multiple sites, and one of the other sites getting compromised.

The authenticator only has to be input once per 7 days in the game (based on IP), unless you'd like it to prompt you every time, in which case you can turn it on to always prompt in your battle.net profile.

The fact that so many sites ran with the supposed session spoofing bullshit story is an absolute shame, and you don't see any of them recanting now. Session spoofing in a TCP/IP-based game?

A second factor of authentication does not make it ok to make the first factor non-compliant with standard security practices. That's not how 2 factor Authentication works (even though everybody does it that way) It is ESPECIALLY troubling when you start looking at things like the recent RSA breaches, and the story from a few days ago where some researchers were able to spoof a token. If they can do it to RSA tokens, no reason why they can't do it to B-net authenticators, the underlying technology isn't significantly different.

I find it pretty sad that first they say how secure their system is, making sure to hype up the fact that it's online-only feature as well, but then turn around and essentially say "but we recommend buying one of our Battle.net authenticator fobs or to download the mobile app".

they recommend an authenticator because it helps in preventing phishing scams, the main way people "hack" your account.

Yep, you are required to enter 2 auth codes to remove it from your account, let alone 1 to access it on the web. Even if they have your email hacked, long as you do not have your auth serial recorded you should be good.

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in Pittsburgh, PA.